It was discovered that PHP, a general-purpose scripting languagecommonly used for web application development, did not properlyprocess embedded NUL characters in the subjectAltName extension ofX.509 certificates. Depending on the application and withinsufficient CA-level checks, this could be abused for impersonatingother users.

For the oldstable distribution (squeeze), this problem has been fixed inversion 5.3.3-7+squeeze17.

For the stable distribution (wheezy), this problem has been fixed inversion 5.4.4-14+deb7u4.

For the unstable distribution (sid), this problem has been fixed inversion 5.5.3+dfsg-1.

We recommend that you upgrade your php5 packages.

Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: http://www.debian.org/security/